[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] Metaframe over VPN = Fixed!
Well, if you remember, I was having problems with keeping VPN connections to my Metaframe during policy installs. When a policy was installed, all VPN connections to the Metaframe server were dropped. Worse, the Metaframe server then ceased to accept any TCP/IP connections - even from within the LAN - until it was rebooted. It took many emails to a Checkpoint rep, but I finally appear to have a working solution. CP advised me to add the following to the props section of objects.c: :tcpestb_grace_period (40) Apparently what this does is allow a 40 second grace period after policy installs for incoming NON-SYN connections to be compared to the rule base if the connection table has been purged. It worked like a charm. The CP rep assures me that there is no security compromise with doing this. I'm not sure I necessarily believe him, but if it only opens a 40 second window after policy installs where we might be slightly vulnerable, I think I'm willing to use it. Hope someone finds this useful. TT turambar386 Get your FREE Bette Davis e-mail at http://surf.to/bette ____________________________________________________________ Get your own FREE Web and POP E-mail Service in 14 languages at http://www.zzn.com. ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|